From: Antonios Vamporakis <ant@area128.com> Date: Tue, 31 Dec 2013 01:05:42 +0100 Subject: [PATCH] lzma: fix buffer bound check error Variable uncompressedSize references the space available, while outSizeFull is the actual expected uncompressed size. Using the wrong value causes LzmaDecode to return SZ_ERROR_INPUT_EOF. Problem was introduced in commit afca294. While at it add additional debug message. Signed-off-by: Antonios Vamporakis <ant@area128.com> CC: Kees Cook <keescook@chromium.org> CC: Simon Glass <sjg@chromium.org> CC: Daniel Schwierzeck <daniel.schwierzeck@gmail.com> CC: Luka Perkov <luka@openwrt.org> --- lib/lzma/LzmaTools.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/lib/lzma/LzmaTools.c +++ b/lib/lzma/LzmaTools.c @@ -102,7 +102,7 @@ int lzmaBuffToBuffDecompress (unsigned c return SZ_ERROR_OUTPUT_EOF; /* Decompress */ - outProcessed = *uncompressedSize; + outProcessed = outSizeFull; WATCHDOG_RESET(); @@ -111,6 +111,9 @@ int lzmaBuffToBuffDecompress (unsigned c inStream + LZMA_DATA_OFFSET, &compressedSize, inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, &state, &g_Alloc); *uncompressedSize = outProcessed; + + debug("LZMA: Uncompresed ................ 0x%zx\n", outProcessed); + if (res != SZ_OK) { return res; }